The Seamless Campaign Isn’t Losing Any Steam

Some security researchers on Tuesday had noted that their requests for the Seamless gates were failing. However, if there was any noticeable stoppage, it certainly didn’t last very long. Shortly after hearing about this I started checking my logs for any exploit kit activity and, as usual, I found a detection for RIG EK from one of our Palo Alto firewalls. Checking the traffic before the RIG EK detection showed the culprit to be the Seamless campaign.

The redirection chain that I found hasn’t changed much, however, this is the first time I’ve seen requests for /vnc-seller and /vnc-seller/. This could have had something to do with the geo-location of the host or the HTTP referer.

Other notable changes include the addition of the domain paremated-conproxy[.]com and the subdomain 15cen.redirectvoluum[.]com. They had been using the subdomains tqbeu.voluumtrk[.]com and tqbeu.redirectvoluum[.]com to redirect hosts to the Seamless gate.

The domain paremated-conproxy[.]com was first seen on 8/18/17. The Whois information is private. The subdomain 15cen.redirectvoluum[.]com was registered by CodeWise and was first seen on 08/21/17. They’re using CodeWise’s marketing suite called “Voluum“.

Furthermore, the Seamless .php file that returns the iframe pointing to the RIG EK landing page is now called signu[1-4].php rather than signup[1-4].php.

It was at this point that I decided to go hunting for my own infection.

The publisher that I used for my infection chain was another video streaming site. According to Alexa it is currently ranked in the top 69,000 globally and top 36,000 in the United States. Below is Alexa’s statistics on the site’s visitors by country:

Country

Percent of Visitors

Rank in Country

United States

27.20%

35,100

United Kingdom

14.60%

13,900

India

12.50%

23,900

South Africa

4.60%

7,500

Australia

3.80%

19,100

Overall the site received roughly 340,000 visitors in the last 30 days.

Below is a flowchart from my infection:

Below is an image of the HTTP, DNS, and C2 traffic filtered in Wireshark:

The Ramnit payload was dropped and detonated in %Temp%. We then see the malware copy itself to a new folder in %LocalAppData% where it was then executed.

Once the file is run from %LocalAppData% we see the first DNS query for Google.com. After successfully resolving Google.com comes the DNS query for the C2 domain h62yeey62tqgshy.com (resolves to 46.173.213.134). The infected host then initiated connections to the C2 server via TCP port 443.

During this same time, you see two more copies of the malware being dropped back into %Temp% as well as Ramnit’s .log files being created in various locations like %LocalAppData% and %ProgramData%:

This same beaconing pattern with Google.com and the C2 repeats itself over and over again:

Shows socket information and includes the name and ID of the process responsible for the connection

We can also see that the malware creates various methods of persistence on the system, including creating a file in Startup and setting some values in the registry: